Combating cyber risk
In recognition of the growing threat posed by cyber crime to financial institutions, APRA is proposing to introduce a new prudential standard for information security management.
APRA’s current guidance on managing information security was issued in 2010 through Prudential Practice Guide CPG 234 Management of security risk in information and information technology. However, developments in the way technology is used by financial institutions, including the increasing use of third party service providers, and the continuing threat from cyber-crime has escalated to the extent that a binding prudential standard is now warranted.
The proposed new standard, CPS 234, expected to be finalised later this year with a view to implementation from 1 July 2019. The new standard will require regulated entities to:
- clearly define the information security-related roles and responsibilities of the board, senior management, governing bodies and individuals;
- maintain information security capability commensurate with the size and extent of threats to information assets, and which enables the continued sound operation of the entity;
- implement information security controls to protect its information assets, and undertake systematic testing and assurance regarding the effectiveness of those controls;
- have robust mechanisms in place to detect and respond to information security incidents in a timely manner; and
- notify APRA quickly of material information security incidents.
Although APRA-regulated entities are generally well-placed to meet the requirements set out in CPS 234 given the prior guidance contained in CPG 234, APRA expects all entities will continue to need to improve their information security practices. By doing so, they will be better prepared to safeguard the confidentiality, integrity and availability of their data and systems, to enable their continued sound operation.
No matter how strong security measures are, however, APRA also recommends entities adopt an ‘assumed breach position’ – in essence, assuming that at some point their information security defences will be penetrated. This mindset encourages the development of robust incident management practices that help ensure any incident is detected swiftly and dealt with effectively, thereby minimising the financial and reputational damage to the entity.
An accelerating risk
In announcing the proposed new standard at the Insurance Council of Australia’s Annual Forum in March1, APRA Executive Board Member Geoff Summerhayes explained that, several decades after becoming a commercial threat, cyber-crime was no longer an emerging risk – it had well and truly emerged, and was evolving at an accelerating rate. In particular, Mr Summerhayes warned that it was now possible envisage a scenario where a regulated entity was so badly damaged by a cyber-attack that it was forced out of business. While noting APRA deemed such an outcome to be unlikely, it was no longer beyond the realms of possibility.
Though no APRA-regulated entity has yet suffered significant losses due to an information security incident, Mr Summerhayes said the growing scale and sophistication of cyber criminals meant a material breach was “probably inevitable”.
“Australian financial institutions are among the top global targets for cyber criminals. Australia is targeted due to its relative wealth and take-up of digital technologies, while financial institutions are attractive to criminals seeking money or personally identifiable information on customers,” he said.
While information security is generally well-handled by regulated-entities, there are several areas that require greater attention. These include assurance over service providers’ cyber capabilities, basic cyber hygiene, and preparing to respond and recover once an incident has occurred.
The US credit monitoring firm Equifax provided a timely example of how an inadequate response to a cyber breach can compound the damage caused by the incident. While sensitive financial details of 150 million Americans were stolen, the company’s reputation was further damaged by its response: a standalone website established for victims was targeted by hackers, while the company’s official Twitter account shared a fake link four times before the mistake was identified. Equifax remains engaged in a determined effort to restore its reputation, but the community’s trust – a crucial commodity for financial institutions – will take time to fully restored.
Compounding the potential risks Australian entities face from a poorly handled response to an information security incident is the commencement in February this year of the Notifiable Data Beaches Scheme. By forcing organisations to notify anyone affected by a data breach, as well as the Australian Information Commissioner, the scheme removes the option of entities keeping quiet and hoping that a data breach will escape public and media scrutiny. The growing power of social media further increases the reputational risks from a breach, by amplifying the ability of customers to share their dissatisfaction.
The findings of APRA’s 2015 and 2017 cyber security surveys indicate the maturity of regulated entities’ ability to respond to and recover from cyber security incidents varies. More than 20 per cent of respondents to the 2017 survey indicated they had not tested their ability to respond to and recover from cyber security incidents during the previous year. Furthermore, although 90 per cent of respondents to last year’s survey had formalised response plans for plausible cyber security scenarios, these plans were sometimes untested and/or lacked integration with business continuity and disaster recovery plans. By introducing CPS 234, APRA will be requiring that incident response plans be fully tested and integrated.
Though the financial sector has long been alert to the threat posed by cyber adversaries, it’s only in the past five years or so that the issue has been high on industry risk registers. For example, cyber threats hardly rated a mention in the annual Insurance Banana Skins world risk report in 2013, but came in at number four in 2015 and number two last year2 — and has been cited by the report as the number one risk by insurers in Australia for two surveys running.
An accelerating risk requires a rapid response from industry, but it also needs to be targeted and tested. By adopting the measures mandated by APRA’s proposed new prudential standard, entities will enhance their capability to repel a cyber-attack. Perhaps more importantly, given the pervasiveness and persistence of the threat, they will be better placed to respond and recover when their cyber defences are inevitably breached.
1 See Mr Summerhayes’ speech: http://www.apra.gov.au/Speeches/Pages/Computer-terminal-velocity-07Mar18.aspx
2 See https://www.pwc.com.au/publications/insurance-banana-skins-2017.html
Poor operational due diligence not worth the risk
The importance of high quality due diligence in relation to investment decisions and investment processes is well understood. Perhaps less appreciated is the need for robust due diligence in relation to the operational environment of investment managers.
APRA has been reviewing industry practices in operational due diligence (ODD) for investment managers in superannuation, as the quality of ODD provides insights into the risk culture and overall approach to risk management of the investment manager.
Effective ODD is a critical component of investment management. Registerable superannuation entity (RSE) licensees are exposed to a broad range of operational events, and their impact can vary widely — many things can and will go wrong if the operational environment of the investment manager is deficient. These events may include:
- an inability to process transactions;
- inadequate or incorrect trade execution and settlement;
- valuation errors;
- failure to comply with relevant laws and regulations;
- problems with service providers; or
- a range of business disruption events.
Financial returns may increase when the risks are higher for credit, investment and other risks; however there are no additional returns provided from increasing operational risk. Hence the importance of better practice in operational due diligence for investment managers.
In superannuation, the need for better practice ODD stems from APRA’s requirements in Prudential Standard SPS 530 Investment Governance, as well as the Superannuation Industry (Supervision) Act 1993 (SIS Act) obligation to formulate and give effect to an investment strategy. It is for RSE licensees to establish the most effective and efficient method of determining and implementing this investment strategy in the context of their particular circumstances. Similarly, RSE licensees need to determine their ODD needs and how operational due diligence is best carried out.
It is essential for RSE licensees to adequately understand the ability of their external investment managers to deliver the required services such that investment strategy and objectives can be met. A robust, well executed ODD process provides valuable insights into the degree of alignment between the investment manager and the goals of the RSE licensee, and also the risk culture of the investment manager. A key objective of ODD is to minimise the likelihood of the RSE licensee bearing excess levels of (unrewarded) operational risk from external sources.
APRA has observed a range of industry practices in relation to operational due diligence. Some, particularly larger, RSE licensees have their own dedicated resources to determine requirements and perform ODD appropriate to their circumstances. At the other end of the spectrum, some RSE licensees may have given the discipline little thought.
The exact nature of ODD enquiries, and how these are best performed, will be determined by several factors, including:
- the size and nature of the investments (and hence the scale and nature of the operational risks);
- the size, structure, ownership and product offering of the investment manager; and
- the extent of reliance on the investment manager (i.e. the proportion of the portfolio managed).
RSE licensees need to have an appropriate policy governing their ODD program, which addresses the above factors, and how resources are deployed to conduct the due diligence.
Phases of due diligence
While due diligence is often described as a single process, it consists of three distinct phases – information gathering, validation and assessment.
The ultimate responsibility for evaluating and assessing the suitability of an investment manager remains with the RSE licensee; however the first two phases can be performed either in-house or by external providers. In all circumstances the necessary enquiries, investigation and evaluations need to be performed by appropriately skilled individuals, with knowledge of operational requirements and the associated risks.
There are two main models by which an external consultant is engaged to conduct operational due diligence. Under an ‘owner-led’ model, consultants are engaged directly by the RSE licensee to conduct ODD on the investment manager. The consultant investigates and reports on the investment manager, typically including a recommendation back to the RSE licensee, and covering all phases of the ODD process.
Under a ‘manager-led’ model, consultants are engaged by the investment manager to produce an operational due diligence report which the investment manager is then able to provide as needed to RSE licensees considering using the manager.
Under either model, the RSE licensee still needs to evaluate the ODD report and determine whether any further action is required. RSE licensees need to determine how best to obtain the necessary information for ODD, how to verify that information, and then how to evaluate it. This should be based on the assessed risks of different investment strategies, asset classes, styles or managers, and could involve a mix of the above two models.
Governance and review
Just as critical as the strategy and program for ODD, is the governance of the process of undertaking due diligence. Critically, those charged with making the operational assessments need to be sufficiently empowered. Investments should not occur where the operational assessments have judged a manager insufficient, irrespective of the views of other areas.
For the ODD process to deliver value to the RSE licensee, it needs to be sufficiently robust and the review results need to form part of the feedback loop for the RSE licensee to monitor and assess investment manager performance on a holistic basis. Additionally, RSE licensees need to monitor operational conditions on an ongoing basis, and identify and take appropriate action when situations arise that would warrant revisiting ODD — for example after a merger or restructure at an investment manager. It is also possible that specific due diligence is required on particular areas, such as for managing a new asset class.
The results of any assurance reviews are also critical inputs into any ODD assessment.
Recent industry focus
There has been an increased focus on operational due diligence in the superannuation sector over the past 12 months, with industry bodies promoting better ODD practice among their members. Ongoing efforts by industry bodies and regulators to engage with stakeholders on ODD requirements are now being reflected in greater recognition of the benefits of undertaking ODD, beyond it being seen as largely a compliance exercise. There is now a greater level of constructive dialogue around ‘how’ to best roll-out ODD, rather than ’why’ it is needed.
There has also been ongoing industry dialogue regarding the respective benefits of the owner-led and manager-led models. APRA’s interactions with industry suggest, however, that there is broad agreement on the overarching benefit to the industry as a whole of enabling as many RSE licensees as possible (regardless of their scale and internal resource levels) to have access to robust operational due diligence information irrespective of the review model adopted.
Last year the Australian Institute of Superannuation Trustees (AIST) released guidance, with additional support materials, on a cost-effective framework for their member funds to meet due diligence obligations. The Financial Services Council (FSC) has also consulted on a standard Operational Due Diligence Questionnaire they are developing for their member organisations. Both of these industry initiatives are expected to, over time, help to clarify expectations and assist in the standardisation of information and reports in relation to ODD across the sector.
Operational risk, unlike investment risk, does not provide any risk premium and so leads to the exposure to loss without any potential reward. Such operational losses have the potential to reduce, or in extreme circumstances eliminate, the benefits from good investment decisions. Better practice operational due diligence is therefore fundamental for investment managers and RSE licensees.
The responsibility for evaluating and assessing the suitability of an investment manager rests with RSE licensees, and their ODD approach needs to reflect the nature of their business operations, and in particular the scale and nature of the risks to which they are exposed. APRA will continue to monitor developments in the implementation of ODD by the industry as part of its ongoing supervision activities.
In February this year, APRA commenced consultation on Phase Two of its private health insurance roadmap for updating the prudential framework for the industry. The consultation package, titled Governance, fit and proper, audit and disclosure requirements for private health insurers, aims to improve governance and decision-making in the private health insurance sector. In essence, it seeks to introduce stronger prudential standards that have successfully lifted capabilities across other APRA-regulated industries.
The governance package follows the release last year of Phase One of the roadmap, in which CPS 220 — APRA’s cross-industry risk management prudential standard — was introduced for private health insurers with effect from 1 April this year. The third phase of the private health insurance roadmap, examining the industry’s capital standards, is likely to commence later this year1.
As part of the governance package, which stakeholders have until 2 May to provide submissions, APRA is seeking to:
- replace Prudential Standard HPS 510 Governance with the cross-industry equivalent standard, CPS 510, to strengthen governance practices;
- extend cross-industry Prudential Standard CPS 520 Fit and Proper to the private health insurance industry to ensure the competency and integrity of anyone exercising material influence over an insurer;
- introduce Prudential Standard HPS 310 Audit and Related Matters in recognition of the important role auditors can play in supporting prudential soundness by conducting assessments of internal processes and controls; and
- revoke Prudential Standard HPS 350 Disclosure to APRA to streamline reporting and remove obsolete requirements.
These latest proposed changes to the prudential framework are designed to bolster the resilience of the industry by increasing the likelihood that boards, senior managers, auditors and actuaries will identify and take decisive action on emerging issues.
APRA aims to finalise the standards later this year, with the new measures expected to come into force from 1 July 2019.
The importance of strong governance
Like any other financial services sector, the $23 billion private health insurance sector requires strong and effective governance to meet the challenges before it.
The proportion of the population covered for hospital treatment has declined by an average 1.1 per cent over the last five years. This rate of decline was 1.5 per cent over the two years to December 2017, falling from 47.1 per cent coverage to 45.6 per cent, as premium rises continue to outstrip income growth in the community. The average 3.95 per cent increase in the latest round of premium changes was the lowest in 17 years, but still well above growth in average weekly earnings (1.8 per cent).
As affordability declines, the younger, healthier cohort – who are needed to subsidise the older and less well in a community-rated system - is increasingly exiting the system, raising average claims costs for insurers and premiums for remaining policyholders. Significantly, not one submission to the recent Senate Committee report into the affordability and value of private health insurance expected premiums to fall in the near-term.
Changes in community expectations and demands, and resulting change to public policy settings, pose further tests for the boards of private health insurers to manage.
Adding to this environment has been heightened political and media scrutiny of private health insurers, including the examination of measures to further reduce premium rises and a Productivity Commission inquiry into the sector. A Senate Committee report released in December made 19 recommendations to address affordability and value in private health insurance2. Such attention further highlights the challenges for insurers in the current environment and the need for strong governance.
As stated in its submission to the recent Senate Inquiry, APRA does not believe private health insurers are over-capitalised, nor does see opportunity for a material reduction in capital levels. In a difficult business environment, it is vital insurers retain prudential buffers that minimise their risk of breaching APRA’s minimum requirements and their own capital targets, in order to ensure they remain able to meet policyholder claims quickly and reliably when they are called upon to do so.
Insurers must also raise awareness of the affordability factors adversely impacting the sector that are largely outside their direct control. Rising claims costs are the primary drivers of the affordability dilemma, and it is essential that the important reform process started by the Government in October last year continues in order to address this. The population is ageing, and the private health insurance policyholders are ageing, on average, even faster. Consumers are demanding more medical services, while the cost of procedures and treatments keep significantly outpacing inflation. Private health insurers are unable to address these issues on their own, but they are important participants in the debate about how best to do so.
Rising to the challenge
Although APRA has no prudential concerns about the state of Australian private health insurance at the moment, the risks noted above raise the possibility that could change over coming years. All insurers are vulnerable to adverse changes in their operating environment, but not equally so; entities with superior governance, business planning and risk management practices are better placed to adapt to change and overcome threats.
It is often smaller funds with lower levels of scale, access to resources and technical sophistication that find this most challenging. But regardless of size, all insurers should be considering on-going viability and the value they provide to members as part of their regular strategic reviews; funds with low or negative membership growth should be looking at this option especially closely so they are well prepared should consolidation become necessary.
The standards and guidelines contained in APRA’s latest package of prudential reforms are designed to help insurers of all sizes and levels of resourcing identify sustainability concerns and take prompt, decisive action to address them. In doing so, they put themselves in the best position to remain resilient and serve their policyholders into the future.
1 See APRA Executive Board Member Geoff Summerhayes’ speech, “Health Insurer, heal thyself: APRA’s prescription for financial sustainability” (Click here to go back)
2 Senate Standing Committee on Community Affairs – Value and affordability of private health insurance and out-of-pocket medical costs: www.aph.gov.au/Parliamentary_Business/Committees/Senate/Community_Affairs/Privatehealthinsurance/Report